This Metasploit module exploits an arbitrary PHP code execution flaw in the vBulletin web forum software. This vulnerability is only present when the "Add Template Name in HTML Comments" option is enabled. All versions of vBulletin prior to 3.0.7 are affected.

-
漏洞描述

vBulletin contains a flaw that may allow a malicious user to inject and execute arbitrary PHP code, because nested input passed to the "template" parameter in "misc.php" isn't properly verified and can be exploited. The issue is triggered when the "Add Template Name in HTML Comments" option is enabled. It is possible that the flaw may allow the injection and execution of arbitrary PHP code resulting in a loss of confidentiality and integrity.

-
时间线

公开日期:
2005-02-22

发现日期:
2005-02-17

利用日期:2005-02-22

解决日期:Unknow

-
解决方案

Upgrade to version 3.0.7 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Disable the "Add Template Name in HTML Comments" option

-
不受影响的程序版本

VBulletin VBulletin 3.0.7

-
漏洞讨论

vBulletin is reported prone to an arbitrary PHP script code execution vulnerability. The issue is reported to exist due to a lack of sufficient input sanitization performed on user-supplied data before this data is included in a dynamically generated script.

This vulnerability is reported to affect vBulletin board versions up to and including 3.0.6 that are configured with 'Add Template Name in HTML Comments' functionality enabled.

-
漏洞利用

The following example is available:

http://www.example.com/misc.php?do=page&amp;template={${phpinfo()}}

An exploit (php_vbulletin_template.pm) for the Metasploit Framework is available.